Docker-compose and Dockerfile to setup a wireguard VPN connection, forcing specific TCP traffic through a socks proxy.
I set this up after fighting with socks proxies and Windows offensive tooling.
The intention is to facilitate tooling on Windows and MacOS that ignore things like proxychains, proxifier, and proxycap. This is done by leveraging a wireguard to VPN to a Linux host running this project which has routing setup to force traffic via tun2socks into a Socks5 proxy.
docker-compose
provided by ubuntu (and other distributions) is old and doesnt support versions that allow networking fancyness. Please make sure you are using a recent version of docker-compose
. One way to check if you have a recent enough version is to run docker compose version
. If either the command is not available, or the version reported is not at least version 2.10+, then you need to upgrade.
A docker-compose
has been provided to setup both the tun2socks and wireguard.
Copy the example .env.example
file to .env
and tweak the values as needed (it should have enough documentation to know what each value is for). Then, start the stack with:
docker-compose up -d
You can view the logs from tun2socks to check what is being proxied and errors with:
docker-compose logs -f
The docker-compose will also setup wireguard and you should be able to find the peer config you want to use in the ./config/peer*
directories (depending on how many peers you configured). Grab that and import it into your client where you want to proxy communications from.
Note: In some cases it may be useful to add the PersistentKeepalive = 2
directive in the [peer]
section if you experience random timeouts.
Now all traffic should be forced through the SOCKS proxy without hastle for the networks you want to reach, together with DNS.
For DNS we leverage CoreDNS to translate DNS requests for a specific domain and forward them using a TCP lookup. This effectivly gets us DNS through the SOCKS tunnel.
Below is some more technical information about the containers used in the docker-compose.yml file.
The wiresocks service runs a docker image with --cap-add=NET_ADMIN --sysctl="net.ipv4.ip_forward=1" --device=/dev/net/tun:/dev/net/tun
flags to allow the container to create a tun interface as well as set routes for it.
You specify the socks proxy using the PROXY
environment variable, make sure your docker can reach that proxy. It the same as the -e
flag given to tun2socks
.
-e PROXY=socks5://socksaddress:1080
You can also specify which ranges you want to have redirected to the socks proxy by providing a TUN_INCLUDED_ROUTES
environment variable:
-e TUN_INCLUDED_ROUTES=192.168.165.0/24
The TUN_INCLUDED_ROUTES
may be comma seperated for multiple ranges.
The container will start tun2socks and configure routes to forward traffic of the routes provided in TUN_INCLUDED_ROUTES
through the created TUN interface.
You can use the --net container:wiresocks
option with other docker containers to get them to share the same network namespace as the wiresocks docker. This includes the setup routes as well as access to the TUN interface. This essentially means you can tunnel arbitary dockers using tun2socks with this option. In the docker-compose we use it for WireGuard so that Windows/MacOS just need a WireGuard config and they can have their traffic transparently proxied.
The original idea used Darkks redsocks which is amazing!
This version uses the equally amazing tun2socks by xjasonlyu!
Uses LinuxServers wireguard image to setup the wireguard vpn to connect into the socks network
WireSocks
is licensed under a GNU General Public v3 License. Permissions beyond the scope of this license may be available at http://sensepost.com/contact/.